Blog

Blog Search

Search this site

Advertisements

Everything Else

Sponsor

Wood Watch Review

Google Custom Searches

Custom Blogger Search
Custom Sametime Search
Custom XPages Search

Subscribe

Subscribe via RSS

Recent Tweets

Hosting by

You are here: Home › Blog

E-Pro: Notes and Domino 6 Security Enhancements


Tags :


After a long beta cycle and much testing by Lotus and users, another version of Domino is arriving as this article goes to print. With this thought looming, many CIOs, managers, and system administrators will now wonder whether it's worth the effort to move to Notes and Domino 6 (ND6). Some are still wondering what the next step will be from their 4.6x versions!

One of the most important aspects of your messaging and collaboration system is security, and some of the security improvements in ND 6 are related to more granularity in administrative functions. For example, can you imagine the ability to extend tiny pieces of server and database administration to users without giving them the keys to the kingdom? How about enhanced certificate management and new smart card integration for the Notes client? Well, loosen your imagination because Lotus listened to the administrators and developers to create some wonderful security enhancements.

User Registration

The most exciting change in Domino security involves the user registration process. Previously, the administrator, or delegate, needed access to a copy of the certifier to be used and the certifier password. Now the administrator can authorize certain individuals or groups the rights to create new users without direct access to the certifier and password by assigning them particular rights in the Certificate Authority (CA). (Note that in R5, CA refers only to Internet certificates. Notes certificates are now part of the CA process.)

This new role is a Registration Authority (RA) administrator. Each certifier can be given its own RA to offload and delegate administration. It's all done via the CA process, which includes the CA and Certificate Requests (Certreq.NSF) databases and a new CA server task. Only one CA task runs on the server, but you can link this task to numerous certifiers in the database.

The Certificate Requests database contains active certificate and revocation requests. The administration process receives requests from this database for processing. Requests may be processed manually or automatically. If you choose automatic processing, the administrator must have permissions to run unrestricted agents in the Security section of the Server document where the databases reside.

You can manage the CA server task from the Domino console with Tell commands. A key ability is locking of certifiers that carry a lock ID, so new certificates can't be issued. An administrator can also process new requests immediately and then push a nonscheduled Certificate Revocation List (CRL) to the Domino Directory. For example, a CRL push would occur for a security breach or to remove someone immediately. For a full list of the available commands, see the Lotus Domino Administrator 6 Help at http://www-10.lotus.com/ldd/notesua.nsf/find/dominornext.

CRLs consist of revoked or expired Internet certificates. You can view CRLs in the Issued Certificate List (ICL) database. An ICL database is created each time a new certifier is entered into the CA to store a list of the certificates that haven't expired. A certifier document is also created at the same time and placed in the Domino Directory. This new area entails some configuration, but it can simplify management of certificates.

Extended ACLs

ND6 also introduces extended Access Control List (xACL) entries, which apply only to the Domino Directory, Administration Requests database, and Extended Directory Catalog. You configure xACL on the Advanced tab under File, Database, Access Control. This new granular access level even allows document-level control. Some developers may suggest that this capability exists already in Reader and Author name fields. But creating those fields is unnecessary on a form you want to protect with xACL. You can apply it to all the necessary forms at one time through a single interface. The xACL has three components: Privileges, Targets, and Names. They're all defined in the Lotus Domino Administrator 6 Help. Keep in mind that xACL rights can't override the rights provided by the ACL of the database or Reader and Author name fields.

Server Document Security

The next place to see the most change in ND6 (once your Domino Directory design is updated) is in the Domino Server document itself. Lotus has changed several tabs to add fields and configuration areas for backward compatibility. Some fields have also been moved or modified. The main security tab remains in the Server document (Figure 1), but the sections and fields included on it are moved around. For example, the former section for Server Access is now titled Administrators. The previous setting providing access to administer the server from a browser still appears (for the sake of backwards compatibility), but you don't use it in ND6. Due to the new fields introduced, control is passed to the ACL of the Webadmin.NSF database.

All of the new fields in the Server document let you enter users, groups, and wildcards. I suggest using groups or wildcards for an organizational unit (OU) if your architecture is designed that way, to ease the administration of these fields.

One of my favorite new security fields is View-only Administrators. This lets you display a server console with the administration client or other console tool and perform simple commands (e.g., Show users, Show server, Show tasks, Show stats) to show the status of the server. It's certainly helpful for senior help desk staff to be able to see server status. When such employees can confirm that tasks are running and view simple server statistics, you can decrease the number of calls that escalate to the next level in your support organization.

The Restricted System Administrator field lets you issue server commands that are listed in the Restricted System Commands field. An administrator can now allow a junior administrator general maintenance-task access. For example, in a distributed server environment that has a WAN or even dial-up access to servers, you could give someone local to the site the rights to perform some simple operations (e.g., Fixup, Compact, Updall).

A wonderful new administration level is the Database Administrator. According to the documentation, users in this field can adjust ACLs, set administration servers, and delete databases as needed, but server commands and controls remain restricted to Domino administrators. In testing this field, I determined that users placed in it have rights to compact and create full-text indexes but not to manage the ACL. Either a correct listing in the ACL or higher server administrator rights is necessary for ACL maintenance.

Full Remote Console Administrators is self-explanatory. You can issue any server console command, including the ability to shut down the Domino server.

Administrators takes on a new meaning while offering the same capabilities provided in previous Domino releases. In my testing, I found no changes in rights from what existed in the R5 Administrators field.

The biggest change is the new field Full Access administrators. This level of access includes everything that an Administrator can perform, with an added benefit of manager access to all databases on the server, regardless of the ACL setting. You must give this field careful consideration before implementing it. For example, some enterprises forbid administrators from having default manager access, which provides access to mail and other databases that could contain sensitive information. Encryption of data within the database is the best precaution when utilizing this new feature.

Administrators should be aware that Lotus has modified certain security fields in previous releases of Domino. In the past, fields such as "Access server," "Not access server," and "Only allow server access to users listed in this Directory" applied only to Notes clients. Now, these fields apply to all types of Internet protocols. This option isn't enabled by default; you must modify the Server document for Internet Ports for each protocol for which you want to use this new feature.

HTTP Security Changes

Another exciting change is in the HTTP task area of the Domino server. Lotus has hardened HTTP for security purposes in several areas in which HTTP servers come under attack. For example, to help prevent buffer-overflow attack, Lotus has included the following changes:

  • The maximum URL length request is now 4 K.
  • URL path segments (e.g., http://www.abc.com/a/b/c/d/e/f/g/h) are restricted to 64 segments by default.
  • The default number of header requests is 48.
  • The request headers are restricted to 16 K.
Also, the maximum size of requested content, which includes attachment uploads and data requests, is now set to a default limit of 10 MB. This prevents a user from trying to overload the server with too much data. A value of zero would mean "no limit" in theory, but you can still request an actual internal limit of 4 GB.

You can increase some of these settings in the Server document, but unless you have a need, I don't recommend it. As more varied types of attacks are made against Web servers, these enhancements to the management of the Domino HTTP task will become more important.

Notes Client Security Enhancements

A casual Notes user may find some of the new certificate and security features overwhelming. The average user will never modify or investigate most of them. But as Notes and Domino reach further into Internet integration, and as security becomes a more prevalent demand, enterprises will demand to have them available.

One new feature is the ability to either blank the Notes client screen when your user ID logs out due to inactivity or hit F5 to lock the client and prevent anyone from seeing the screen you were just visiting. (In R5 and previous Notes releases, you couldn't open documents once the client was locked, but you could see the documents in the view if a database was left open. This was a potential security risk.) You can even place your own image on the screen when it's locked. The setting to blank the screen can be found in user preferences and in the ID file properties.

In previous Domino releases, configuration items were scattered across the client. ND6 lets you manage these items in an easily navigated user interface (Figure 2). Some changes may occur after this article is published (ND6 is still at Pre-Release 2, and nothing is set in stone until the Gold version is released), but the current version is already a huge leap toward a unified place for managing encryption, certificates, and security preferences for the client.

First, you now use a different menu option to inspect a User.ID file. The user selects File, Security, User Security to display the dialog. The structure of this information has moved and changed a bit to account for the new features and functionality.

The Basics section includes name and certificate information for the user, the ability to change the user password, and the ability to set the idle timeout. The administrator can create a server-wide setting to synchronize user IDs and Internet passwords. (This ability was missing in R5 but desired by large shops that didn't want to manage this field.) The user can override this administrator setting so the two passwords don't synchronize. However, unless this synchronization was included in a policy assigned to the user or was selected during the user registration process, the user cannot enable this option. (For information about policies in ND6, see the Lotus Domino Administrator 6 Help.)

Another added option is a button for users to click when they believe that their Notes User.ID passwords have been compromised. The button initiates a four-step process for the user to follow to help secure the ID file.

The section titled Your Identity contains three subsections. Your Names simply contains your current certified name plus aliases it finds from the Domino Directory. There are no variables to change. The subsection Your Certificates (formerly Certificates when you're inspecting an ID on the R5 client) has a wonderful drop-down list to inspect all Notes, Internet, and saved key information. The previous R5 abilities of requesting new certificates, requesting name changes, and creating safe.id files are located in this section now, too. A new subsection, Your Smartcard, is also configured here.

I encourage sites to look at the option of smart cards where possible. Lotus has taken advantage of this technology within the Notes client. In ND6, you can select the necessary smart card driver and then configure Notes to utilize it. The smart card must be with the user when logging in each time. The user enters a smart card PIN (rather than the Notes ID) for authentication. I suggest following the advice of Lotus and backing up your ID file before you embed the smart card information into it.

It's not possible, however, to move your Notes certificate to the smart card (although this would be a useful feature). You can move Internet certificates (e.g., S/MIME for Internet mail encryption) to the smart card from the interface. But you can't move existing certificates on the smart card back into Notes.

The subsection People, Services under Identity of Others lets a user query a local address book and/or Domino server for certificate and trust information on users. Another drop-down menu lets you show all users that you trust already by their Notes or Internet certificates. This menu lets you manage these certificates centrally, whereas in previous releases you had to search your Personal Address Book (PAB) view for certificates.

A new enhancement that deserves a special mention is users' ability to download the trusted certificates that are stored in the Domino Directory on their home servers (that is, to merge them into their user ID files) or to simply browse other address books to find a certificate. The user clicks the radio button "Find more about people/services," and a button appears to offer the choice to retrieve the administrative defaults. This way, the Domino administrator can build a trusted list once and users can retrieve that trust when needed directly from the server. Of course, automated ways of distributing this trust are always easier, but this feature lets users be selective or take the entire trusted list for their enterprises.

You can also retrieve an Internet certificate and import it into your ID file. After you click the button "Retrieve Internet service certificate," a pop-up box appears to let the user specify an Internet site name and optional protocol/port information. All the default protocol/port choices for HTTP, Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP) are the SSL ports for security when retrieving the certificates.

When testing options in the Authorities section, I was able to reproduce what Notes thought was an attack or corrupt certificate (Figure 3). For administrators who must cross-certify with numerous sites, this is a welcome new security feature. The user sets the trust (or, if the certificates are downloaded from the central authority, the administrator has set the trust) for each certificate.

The previous Execution Control List (ECL) has been moved into a section called What Others Do. Here, the user specifies which permissions the signer of a piece of code or agent may perform on the local workstation. The client also now receives more detailed information when an ECL alert pops up. Details about the signature and design note are included to help the user make an informed decision about whether to trust the requested action.

The Log.NSF on the Notes client shows entries for ECL events. Previously, once an event occurred, no audit trail was available for the action. The design title, NoteID, database title, and even the path are now stored in the Miscellaneous Events view. Also, changes that are pushed to the client through programmatic actions (such as an ECL refresh) that modify the ECL in any way (including adds and deletes) are logged in the same place.

Notes Data lets you configure the default encryption settings for any new local replicas created. The subsection Documents lets you view and control secret keys (single encryption keys) that are stored in the user.id file. The creation, mailing, and importing of secret keys is available through a drop-down list or button as well. These private keys let you encrypt single documents and give that single key only to those people you trust.

Encryption settings for mail, signature warnings, and Internet Mail style options are listed in the Mail section. You can import, retrieve, and examine certificates used for encrypting Internet mail. You can also edit all the locations that must use the new or existing certificate.

Final Observations

Security management has come to the forefront of most enterprises. CIOs are now given directives to obtain and manage certificates for encryption and SSL and to unify the multiple directories across their companies. This single-interface management ability has become crucial to Domino to allow it to move ahead and bring user ID files and Internet certificates closer together. I hope this information about ND6 helps guide you in upgrade decisions.